SAP patch batch includes fix for 3-year-old info disclosure vuln
Better late than never, right?
SAP has released patches for more than 20 vulnerabilities, including a fix for a flaw first detected three years ago.
Software updates to resolve vulnerabilities in SAP’s Business Intelligence and Business Warehouse products star in the 13-bulletin batch, whose release yesterday coincided with Microsoft’s regular Patch Tuesday security update.
The highest CVSS score of among the vulnerabilities is 9.1 (on a scale of 1-10, where 10 is represents the most severe threat).
Alexander Polyakov, CTO at ERPScan, said SAP’s updates include resolution of bugs in SAP Business Warehouse he identified back in 2013.
“Three years is a quite long period even if a vulnerability has medium criticality,” Polyakov told El Reg. “Information disclosure vulnerabilities are underestimated but they are the first step in every attack chain.”
A separate flaw in SAP’s Business Intelligence (Reporting and Planning Module) software is also a candidate for immediate triage.
“This directory traversal vulnerability can be used to get access to any file on OS, [and can therefore] be used to read critical data,” Polyakov warned.
The affected technology affected provides critical information to the CIO and Board members. “BI solutions are all about storing data, so all the risks of stealing business critical data such as financial reports, Sales Planning, Financial planning, Production Planning, and Strategy decisions are possible,” Polyakov added.